FTC Delays Enforcement of Identity Theft Prevention Regulations Until November 1, 2009
The Federal Trade Commission (FTC) announced on July 29, 2009, that it would again delay enforcement of its anti-identity theft regulation, commonly known as the “Red Flags Rule,” until November 1, 2009. The Red Flags Rule, promulgated by the FTC pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, is aimed at preventing identity theft. It requires “creditors” and financial institutions with “covered accounts”—including many health care providers—to implement programs to identify, detect and respond to the warning signs that could indicate identity theft. This recent delay represents the third time that the FTC has postponed enforcement of the Red Flags Rule.
The FTC stated in a press release that it delayed the August 1, 2009, deadline so that it could redouble its efforts to educate small businesses and other entities on compliance with the Red Flags Rule. The FTC further noted that it intends to ease the burden of compliance by providing additional resources and guidance to clarify whether businesses are covered by the Red Flags Rule and what they must do to comply. The FTC also promised to offer guidance specifically for small and low-risk entities through the Red Flags Rule Web site, www.ftc.gov/redflagsrule. The FTC has already posted some guidance (in the form of FAQs), which is available at www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.
Critics from various industries, including the health sector, have voiced concerns over the FTC’s approach to the Red Flags Rule, and they have some allies in Congress. For example, the American Medical Association has objected to the FTC’s position that physicians may be “creditors” that are subject to the Red Flags Rule. The American Bar Association has threatened to file a lawsuit against the FTC unless the agency exempts attorneys from compliance with the Red Flags Rule. The House Appropriations Committee recently requested that the FTC defer enforcement as well as make additional efforts to minimize the burdens of the Red Flags Rule on health care providers and small businesses with a low risk of identity theft problems. In April 2009, the chair of the House Small Business Committee similarly urged the FTC to delay enforcement and to analyze the burden of the Red Flags Rule on health care professionals.
For more on the Red Flags Rule and its requirements, including an overview of the components of a Red Flags Program and highlights of Red Flags Program administration requirements, see the July 1 Akin Gump alert, “FTC Set to Begin Enforcing Identity Theft Prevention Regulations on August 1, 2009.” If you have any questions regarding this alert, the Red Flags Rule or laws concerning the privacy and security of health information more generally, please contact–